Properly "locking" a useraccount (on a proxy)

Timo Sirainen tss at
Fri Oct 24 23:43:28 UTC 2014

On 21 Oct 2014, at 11:27, Ralf Hildebrandt <r at> wrote:

> But how can I "lock" a user during migration?
> The plan is:
> ============
> * lock the user
> * kick the user (doveadm kick)
> * migrate mailbox (some rsync magic)
> * unlock the user again

Alternative is to use "doveadm sync" and you don't necessarily even need to lock anything at all.

> But how would I lock the user?
> What locking needs to achieve:
> 1) Disallow IMAP/POP login (that's easy!)

Yeah, many ways.

> 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server)

 - LMTP proxy does a passdb lookup. I'm not sure if there's any good way to fail in here. I was planning to suggest allow_nets= but looks like LMTP proxying just ignores that. Fixed now:

 - LMTP backend does a userdb lookup. Userdb lookup can return either "user doesn't exist" or "temporary failure". Nothing else. You can have it return a temporary failure by having it return "tempfail" extra field.

More information about the dovecot mailing list